A Primer on Situational Awareness

STRATFOR/Scott Stewart, 20 June 2010: The world is a wonderful place, but it can also be a dangerous one. In almost every corner of the globe militants of some political persuasion are plotting terror attacks — and these attacks can happen in London or New York, not just in Peshawar or Baghdad. Meanwhile, criminals operate wherever there are people, seeking to steal, rape, kidnap or kill.

Regardless of the threat, it is very important to recognize that criminal and terrorist attacks do not materialize out of thin air. In fact, quite the opposite is true. Criminals and terrorists follow a process when planning their actions, and this process has several distinct steps. This process has traditionally been referred to as the “terrorist attack cycle,” but if one looks at the issue thoughtfully, it becomes apparent that the same steps apply to nearly all crimes. Of course, there will be more time between steps in a complex crime like a kidnapping or car bombing than there will be between steps in a simple crime such as purse-snatching or shoplifting, where the steps can be completed quite rapidly. Nevertheless, the same steps are usually followed.

People who practice situational awareness can often spot this planning process as it unfolds and then take appropriate steps to avoid the dangerous situation or prevent it from happening altogether. Because of this, situational awareness is one of the key building blocks of effective personal security — and when exercised by large numbers of people, it can also be an important facet of national security. Since situational awareness is so important, and because we discuss situational awareness so frequently in our analyses, we thought it would be helpful to discuss the subject in detail and provide a primer that can be used by people in all sorts of situations. . . . .

OPSEC: It’s analogous to the topic above from Sratfor. I have lamented many times over the issues concerning OPSEC and general IT security issues within companies such as that which shall not be named *but you know who you are.. and your logo should not be an eagle, instead perhaps an ostritch might be more apropriate*… but I digress… Where was I, oh yes, OPSEC and YOU.

Situational Awareness is a part of OPSEC, in fact, I would dare to say that it is the basic core of OPSEC. If you don’t know the variables of danger in your environment and you are not paying attention, then, well you get hacked in IT and in real life situations, you get dead potentially. Its all about seeing the dangers, even the ones that are not so obvious such as a tiger sitting next to you looking real hungry like and growling. It is my basic contention though, that since we left the ancient savanna and urbanized everything we have lost the ability to see danger very well. Especially long term danger.

On the face of it you have several levels of awareness to understand and cogitate.

1) Immediate dangers like the tiger

2) Middle term dangers that are likely given the situation

3) Exotic dangers that seem too inconceivable for many to act on

In our daily lives we have all of these in our environment. The situational awareness that Stratfor is talking about is the immediate danger. It is unfortunately becoming more common now that there is a possibility that any one of us could be bombed by a jihadist. Just going to work if you live in a city gives you more potential statistically to be a target, but, we still go on about our business and sometimes do not pay attention to what is going on around us. Something that we need to do even if we aren’t a target of a terrorist. Often though, we are in our own little digital iPhone/iPod worlds and oblivious.

Now, I am not saying to be a quivering mass of senses and nerves always looking for terrorists or dangers at each corner, but, I am saying “Pay Attention” if you really look, you might see something that could help you or others.

It was such awareness that stopped Shazhads little exploit from actually catching on to real fire as opposed to exploding. The vendor near the car saw the smoke and called the cops. He did not however, really take note of the driver, nor the fact he had parked the car illegally etc… Or if he did, it was nothing “unusual”

Long term dangers and those exotic ones, well, these are something different. However, in the IT world, they are rooted in very BASIC tenets of security that if paid attention to, could be DENIED to the would be attackers. Things such as:

Don’t give out too much information on social networking sites

Don’t write your passwords on post its and leave them laying about

Same goes for passwords and other data on a PC/Mac/PDA/Phone Encrypt them!

Don’t twitter or facebook you are going on vacation or leaving the house for X amount of time.. Hello burglars! I am GONE! COME ON IN!

I could go on, but I think you get the point. Unfortunately, in the corporate world, these things still just don’t get thought through or acted on.

It’s too hard to encrypt our data!

It’s too hard to teach users to be secure!

It’s too costly to implement security!

Passwords with too many characters are HARD to remember! (9 chars? Really? How do you remember your fucking names?)

All of these things are basic tenets of OPSEC and you have to be SITUATIONALLY AWARE to understand and to be PROACTIVE about fixing issues.

WHY OH WHY DID WE GET HACKED?

“Your government failed you.. They did not connect the dots”

We are awash in a sea of data… One need only be aware of it to act accordingly.